Last updated : 23 June 2025
AI Chat Innovators Ltd (“we”, “us”) provides an HR‑Coaching SaaS platform on behalf of your employer 'Avertri'. Your employer is the controller of your personal data; we act only as their processor.
1 · What data we process
| Category | Examples | Purpose | Legal basis (UK GDPR) | Retention* |
|---|---|---|---|---|
| Account data | Name, corporate e‑mail | Create & secure your account | Contract Art 6(1)(b) | Deleted immediately when your employer removes your profile; encrypted backups rotate after 7 days |
| Usage logs | Timestamps, feature clicks, IP, user‑agent | Troubleshooting & security audit | Legitimate interest Art 6(1)(f) | 90 days · extended to 12 months if investigating an incident |
| AI interaction answers | Responses you click “Save answer” on | Provide historical coaching context | Contract Art 6(1)(b) | Deleted immediately when your employer removes your profile; encrypted backups rotate after 7 days |
| AI interaction questions | Text you type to the coach | Generate live coaching response via OpenAI API Prompts are not used to train or improve OpenAI models. |
Contract Art 6(1)(b) | ≤ 30 days at OpenAI (encrypted abuse‑monitoring logs)† |
*Retention periods may be shortened or extended at your employer’s written instruction.
† Deleted sooner if we activate OpenAI’s Zero‑Data‑Retention option.
2 · Sub‑processors
| Provider | Service / purpose | Region / retention & safeguards |
|---|---|---|
| Render .com | Primary application & PostgreSQL database hosting | DE (Frankfurt) – data remain in EEA; daily encrypted backups 14 days |
| Render Global CDN | Edge delivery of static assets | Worldwide edge cache, objects expire < 24 h; origin Frankfurt (EEA) |
| OpenAI (EU endpoints) | AI model inference for coaching responses | IE (Dublin) – EEA; abuse‑monitoring logs ≤ 30 days (0 days if ZDR); no model‑training; SOC 2; SCCs |
3 · Security measures
- Encryption in transit – TLS 1.2+ for all external connections
- Encryption at rest – AES‑256 for databases, backups and object storage
- Pseudonymisation – Employee names are hashed (HMAC‑SHA‑256) before leaving our servers
- Access control – SSO, least‑privilege IAM, 90‑day key rotation
- Monitoring – Platform IDS & audit logs (Render)
4 · International transfers
Data are hosted in Germany. Transient CDN edge copies expire within 24 hours. Where data leave the UK/EEA (e.g. model inference), transfers are protected by the EU Commission & UK ICO Standard Contractual Clauses or adequacy decisions.
5 · Your rights
You have the right to access, rectify, erase, restrict or object to processing, and to data portability. Please contact your employer’s HR team to exercise these rights; we will assist them promptly.
6 · Complaints
You may lodge a complaint with the UK Information Commissioner’s Office
7 · Automated decision‑making
We do not make decisions that produce legal or similarly significant effects based solely on automated processing.
8 · Contact
Data Protection Officer — dpo@aichatinnovators.com